Question posted in 
I am trying to use Redshift Query Editor V2 authenticating via IAM Identity Center. These were my setup steps:
- Created IAM Identity Center in the same region as the Serverless Workgroup
- Created a Serverless Redshift instance (note I tried both private and publicly accessible workgroup, also being deployed on public subnets)
- Create IAM Identity Center Application via the Redshift console and I have enabled the Query editor v2 application
- Added the IAM IdC group containing my user (which is a group that has Administrator privilieges, therefore it is not a credentials limitation issue)
- In Redshift (accessing it as superuser) I created an identity provider with this query:
CREATE IDENTITY PROVIDER "redshift-idc-app" TYPE AWSIDC
NAMESPACE 'awsidc'
APPLICATION_ARN 'arn:aws:sso::123456789012:application/ssoins-12345f67fe123d4/apl-a0b0a12dc123b1a4'
IAM_ROLE 'arn:aws:iam::123456789012:role/MyRedshiftRole';
Note the role has this trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.amazonaws.com",
"redshift-serverless.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
]
}
]
}
and these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"redshift:DescribeQev2IdcApplications",
"redshift-serverless:ListNamespaces",
"redshift-serverless:ListWorkgroups"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowRetrievalOfRSMetadata"
},
{
"Action": [
"sso:DescribeApplication",
"sso:DescribeInstance"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sso::597598337678:application/ssoins-69876c8b1312f277/*",
"arn:aws:sso:::instance/ssoins-69876c8b1312f277"
],
"Sid": "AllowCreationOfIdPProvider"
}
]
}
I ensured the role was created as expected:
SELECT * FROM SVV_IDENTITY_PROVIDERS;
- Finally I created a role in Redshift with the namespace of the provider for the group that I assigned in the group section of the
IAM Identity Center connectionapplication:
CREATE ROLE <idcnamespace:rolename>;
-- See the available roles
SELECT * FROM SVV_ROLES;
and assign permissions on a schema inside one of the databases (note that I pre-created the schema in the given database as well):
GRANT USAGE ON SCHEMA <schema> TO ROLE "<idcnamespace:rolename>";
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO ROLE "<idcnamespace:rolename>";
When I try to login I get this error on the QEV2 console: Databases couldn't be listed. However upon further investigation on Cloudtrail I can see these details on the event:
{
"errorCode": "InternalServerErrorException",
"requestParameters": {
"path": "/cluster/connect/",
"data": "***",
"version": "1.001"
},
"responseElements": {
"result": false,
"code": "ContainerStateException",
"error": "Cannot get container for user AROAYWI5C7KHET6MY5CL5:<USERNAME>",
"message": "Cannot get container for user AROAYWI5C7KHET6MY5CL5:<USERNAME>"
}
}
I couldn’t find anything in the documentation about this specific error. I basically followed this AWS guide step by step, yet no luck unfortunately 🙁
Any help of what I might have messed up in the setup or elsewhere is much appreciated 🙂
UPDATE
The AWS team is probably working on something here, because now for the same setup/steps, the error has changed to an ISACGetSessionException.
"responseElements": {
"result": false,
"code": "ISACGetSessionException",
"error": "Cannot get session information from ISAC",
"message": "Cannot get session information from ISAC"
}
Can’t really tell what the hell is going on here. I wish the AWS team was a bit more transparent on disclaiming that the IDC integration with Redshift Serverless is "experimental" to say the least… Will keep anyone posted on updates
2
Answers
I have just been working on the same setup and all worked fine for a spell but then we also started seeing the same message "Databases couldn’t be listed"
After the initial setup as described by yourself, we went onto granting the idcnamespace:rolename roles grants to other roles.
e.g.
grant role "my_role" to role <idcnamespace:rolename>"my_role" was then granted access to relevant tables/schema etc
This worked fine at first but then after some time, it was as if there were no permissions.
Just got off call with AWS and it seems as if role chaining like this is potentially the cause of the issue and isn’t fully supported yet so we have been advised to default back to granting table/schema access directly to idcnamespace:rolename.
Not sure if this is of help to you but thought would respond just in case
EDIT: This is still problematic after the above. Will post back if I get another response from AWS though OP confirmed is not the same issue anyway
One likely reason is that third-party cookies from amazon.com to amazonaws.com are blocked by your browser. You can check if this is happening in the Network tab by inspecting the Cookies on the sqlworkbench api requests. Check "show filtered out request cookies" to see whether these cookies are being blocked. You can see them highlighted in yellow.
The way to unblock these cookies will depend on the browser you’re using. In Google Chrome, you can allow them by clicking the eye icon at the right end of the address bar.
You may then have to Delete Connection and then Create Connection.
